NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers

Yu-jun XIAO; Wen-yuan XU; Zhen-hua JIA; Zhuo-ran MA; Dong-lian QI

doi:10.1631/FITEE.1601540

Your Location：

Home >

Browse articles >

NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers

Regular Papers | Updated：2022-05-19

- NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers
  Enhanced Publication
- 一种非侵入式的基于功耗的可编程逻辑控制器异常检测方案
- Frontiers of Information Technology & Electronic Engineering Vol. 18, Issue 4, Pages: 519-534(2017)
- Affiliations：
  
  1School of Electrical Engineering, Zhejiang University, Hangzhou 310027, China
  2Wireless Information Network Laboratory, Rutgers University, North Brunswick, NJ 08902, USA
- Author bio：
- Funds：
- DOI：10.1631/FITEE.1601540
  CLC： TP309.1
- Published：2017-04，
  
  Received：09 September 2016，
  
  Accepted：2017-11-30
- Accepted：
Scan QR Code
YU-JUN XIAO, WEN-YUAN XU, ZHEN-HUA JIA, et al. NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers. [J]. Frontiers of information technology & electronic engineering, 2017, 18(4): 519-534.
DOI：

YU-JUN XIAO, WEN-YUAN XU, ZHEN-HUA JIA, et al. NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers. [J]. Frontiers of information technology & electronic engineering, 2017, 18(4): 519-534. DOI： 10.1631/FITEE.1601540.

摘要

工业控制系统广泛应用于关键基础设施的建设中，关系到国计民生，因此，攻击者越来越多地将其作为攻击目标，并造成严重的破坏。可编程逻辑控制器（Programmable logic controller

PLC）作为工业控制系统中的核心组件，能够直接控制现场设备，一旦PLC中运行了恶意程序，则可能直接造成重大财产损失甚至是人员伤亡。近些年来，针对PLC的攻击事件显著增加，这表明PLC存在很大的脆弱性，同时也提醒人们保护PLC安全的重要性。不幸的是，传统的入侵检测系统和杀毒软件并不能很好地保护PLC的安全，因此，针对PLC的有效的安全防护方案有待被研究。基于上述背景，本文提出了一种非侵入式的基于功耗的PLC异常检测方案。该方案通过分析PLC运行时的功耗变化来检测PLC中是否运行异常程序，分为功耗信息获取与功耗分析两部分。采集功耗信息是通过在PLC的供电线上串入一个电阻实现的，当PLC运行时，测量电阻两端的电压即可获取CPU的功耗信息。为了更好的分析功耗信息，本文首先从原始功耗数据中提取有效的特征值组合，然后利用正常样本来训练一个基于长短记忆（long short-term memory

LSTM）单元的神经网络模型，利用该模型对后续正常样本进行预测，通过比较测量到的功耗信息与预测的功耗信息，可以确定当前PLC中运行的程序是否为正常程序。该方案的优点是无需对原工控系统的封装部分进行软硬件的修改，且无需负样本即可实现对未知攻击的检测。我们在实验室测试平台上对该方法进行了评估，实验表明，对于原程序，只需改动0.63%即可达到99.83%的准确率。

Abstract

Industrial control systems (ICSs) are widely used in critical infrastructures

making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs

the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years

exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately

PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus

an effective method for PLC protection is yet to be designed. Motivated by these concerns

we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption

which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements

we extract a discriminative feature set from the power trace

and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally

an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed

and for a trojan attack whose difference from the normal program is around 0.63%

the detection accuracy reaches 99.83%.

关键词

工业控制系统可编程逻辑控制器边信道异常检测基于长短记忆单元的神经网络模型

Keywords

Industrial control systemProgrammable logic controllerSide-channelAnomaly detectionLong short-term memory neural networks

references

C Alcaraz,,,S Zeadally..Critical control system protection in the 21st century..Computer,,2013..46((10):):74--83..DOI:10.1109/MC.2013.69http://doi.org/10.1109/MC.2013.69..

C Alcaraz,,,S Zeadally..Critical infrastructure protection: requirements and challenges for the 21st century..Int. J. Crit. Infrastr. Protect.,,2015..853--66..DOI:10.1016/j.ijcip.2014.12.002http://doi.org/10.1016/j.ijcip.2014.12.002..

B Bencsáth,,,G Pék,,,L Buttyán,,,等..The cousins of Stuxnet: Duqu, Flame, and Gauss..Fut. Int.,,2012..4((4):):971--1003..DOI:10.3390/fi4040971http://doi.org/10.3390/fi4040971..

W Bolton..Programmable Logic Controllers (6th Ed.),,2015..:USA:Newnes,,..

J Bullock,,,U.C.E.B. Conservatoire..LibXtract: a lightweight library for audio feature extraction..2007..Proc. Int. Computer Music Conf...1--4....

EJ Candes,,,T Tao..Near-optimal signal recovery from random projections: universal encoding strategies?..IEEE Trans. Inform. Theory,,2006..52((12):):5406--5425..DOI:10.1109/TIT.2006.885507http://doi.org/10.1109/TIT.2006.885507..

AA Cárdenas,,,S Amin,,,S Sastry..Research challenges for the security of control systems..2008..Proc. 3rd Conf. on Hot Topics in Security..Article 6..

TM Chen,,,S Abu-Nimeh..Lessons from Stuxnet..Computer,,2011..44((4):):91--93..DOI:10.1109/MC.2011.115http://doi.org/10.1109/MC.2011.115..

SS Clark,,,B Ransford,,,A Rahmati,,,等..WattsUpDoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices..2013..Proc. USENIX Workshop on Health Information Technologies..1--11....

A Coletta,,,A Armando..Security monitoring for industrial control systems..2015..Proc. Conf. on Cybersecurity of Industrial Control Systems..48--62..DOI:10.1007/978-3-319-40385-4_4http://doi.org/10.1007/978-3-319-40385-4_4..

N Dalal,,,B Triggs..Histograms of oriented gradients for human detection..2005..Proc. IEEE Computer Society Conf. on Computer Vision and Pattern Recognition..886--893..DOI:10.1109/CVPR.2005.177http://doi.org/10.1109/CVPR.2005.177..

D Formby,,,P Srinivasan,,,A Leonard,,,等..Who's in control of your control system? Device fingerprinting for cyber-physical systems..2016..Proc. Network and Distributed System Security Symp...1--13....

P García-Teodoro,,,J Díaz-Verdejo,,,G Maciá-Fernández,,,等..Anomaly-based network intrusion detection: techniques, systems and challenges..Comput. Secur.,,2009..28((1-2):):18--28..DOI:10.1016/j.cose.2008.08.003http://doi.org/10.1016/j.cose.2008.08.003..

FA Gers,,,JA Schmidhuber,,,F Cummins..Learning to forget: continual prediction with LSTM..Neur. Comput.,,2000..12((10):):2451--2471..DOI:10.1162/089976600300015015http://doi.org/10.1162/089976600300015015..

CA Gonzalez,,,A Hinton..Detecting malicious software execution in programmable logic controllers using power fingerprinting..2014..Proc. Int. Conf. on Critical Infrastructure Protection..15--27..DOI:10.1007/978-3-662-45355-1_2http://doi.org/10.1007/978-3-662-45355-1_2..

RE Johnson..Survey of SCADA security challenges and potential attack vectors..2010..Proc. Int. Conf. for Internet Technology and Secured Transactions..1--5....

B Kesler..The vulnerability of nuclear facilities to cyber attack..Strat. Insights,,2011..10((1):):15--25....

M Krotofil,,,D Gollmann..Industrial control systems security: what is happening?..2013..Proc. 11th IEEE Int. Conf. on Industrial Informatics..670--675..DOI:10.1109/INDIN.2013.6622964http://doi.org/10.1109/INDIN.2013.6622964..

R Langner..Stuxnet: dissecting a cyberwarfare weapon..IEEE Secur. Priv,,2011..9((3):):49--51..DOI:10.1109/MSP.2011.67http://doi.org/10.1109/MSP.2011.67..

H Lee,,,A Battle,,,R Raina,,,等..Efficient sparse coding algorithms..2006..Proc. 19th Int. Conf. on Neural Information Processing Systems..801--808....

DG Lowe..Distinctive image features from scaleinvariant keypoints..Int. J. Comput. Vis.,,2004..60((2):):91--110..DOI:10.1023/B:VISI.0000029664.99615.94http://doi.org/10.1023/B:VISI.0000029664.99615.94..

T Macaulay,,,BL Singer..Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS,,2011..:USA:CRC Press,,..

P Malhotra,,,L Vig,,,G Shroff,,,等..Long short term memory networks for anomaly detection in time series..2015..Proc. European Symp. on Artificial Neural Networks, Computational Intelligence and Maching Learning..89--94....

LM Manevitz,,,M Yousef..One-class SVMs for document classification..J. Mach. Learn. Res.,,2002..2139--154....

M Mantere,,,I Uusitalo,,,M Sailio,,,等..Challenges of machine learning based monitoring for industrial control system networks..2012..Proc. 26th Int. Conf. on Advanced Information Networking and Applications Workshops..968--972..DOI:10.1109/WAINA.2012.135http://doi.org/10.1109/WAINA.2012.135..

T Morris,,,R Vaughn,,,Y Dandass..A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems..2012..Proc. 45th Hawaii Int. Conf. on System Science..2338--2345..DOI:10.1109/HICSS.2012.78http://doi.org/10.1109/HICSS.2012.78..

K Nandakumar,,,AK Jain..Local correlation-based fingerprint matching..Proc. ICVGIP,,2004..503--508....

B Ni,,,P Moulin,,,X Yang,,,等..Motion part regularization: improving action recognition via trajectory group selection..2015..Proc. IEEE Conf. on Computer Vision and Pattern Recognition..3698--3706..DOI:10.1109/CVPR.2015.7298993http://doi.org/10.1109/CVPR.2015.7298993..

K Pearson..Mathematical contributions to the theory of evolution. X. Supplement to a memoir on skew variation..Phil. Trans. R. Soc. A,,1901..197443--459....

Y Peng,,,C Xiang,,,H Gao,,,等..Industrial control system fingerprinting and anomaly detection..2015..Proc. Int. Conf. on Critical Infrastructure Protection..73--85..DOI:10.1007/978-3-319-26567-4_5http://doi.org/10.1007/978-3-319-26567-4_5..

R Piggin..Are industrial control systems ready for the cloud? Int..J. Crit. Infrastr. Protect.,,2015..9((C):):38--40..DOI:10.1016/j.ijcip.2014.12.005http://doi.org/10.1016/j.ijcip.2014.12.005..

S Ponomarev,,,T Atkison..Industrial control system network intrusion detection by telemetry analysis..IEEE Trans. Depend. Sec. Comput.,,2016..13((2):):252--260..DOI:10.1109/TDSC.2015.2443793http://doi.org/10.1109/TDSC.2015.2443793..

B Pretorius,,,B van Niekerk..Cyber-security for ICS/SCADA: a South African perspective..Int. J. Cyber Warf. Terror.,,2016..6((3):):1--16..DOI:10.4018/IJCWT.2016070101http://doi.org/10.4018/IJCWT.2016070101..

W Shang,,,P Zeng,,,M Wan,,,等..Intrusion detection algorithm based on OCSVM in industrial control system..Secur. Commun. Netw.,,2016..9((10):):1040--1049..DOI:10.1002/sec.1398http://doi.org/10.1002/sec.1398..

J Slay,,,M Miller..Lessons learned from the Maroochy water breach..2007..Proc. Int. Conf. on Critical Infrastructure Protection..73--82..DOI:10.1007/978-0-387-75462-8_6http://doi.org/10.1007/978-0-387-75462-8_6..

SJ Stone,,,MA Temple,,,RO Baldwin..Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process..Int. J. Crit. Infrastr. Protect.,,2015..9((C):):41--51..DOI:10.1016/j.ijcip.2015.02.001http://doi.org/10.1016/j.ijcip.2015.02.001..

KA Stouffer,,,JA Falco,,,KA Scarfone..Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations such as Programmable Logic Controllers (PLC). Technical Report SP 800-82,,2011..:USA:National Institute of Standards and Technology,,..

H Wang,,,A Kläser,,,C Schmid,,,等..Dense trajectories and motion boundary descriptors for action recognition..Int. J. Comput. Vis.,,2013..103((1):):60--79..DOI:10.1007/s11263-012-0594-8http://doi.org/10.1007/s11263-012-0594-8..

J Xu,,,G Yang,,,H Man,,,等..L1 graph based on sparse coding for feature selection..2013..Proc. Int. Symp. on Neural Networks..594--601..DOI:10.1007/978-3-642-39065-4_71http://doi.org/10.1007/978-3-642-39065-4_71..

W Zhong,,,H Lu,,,M Yang..Robust object tracking via sparsity-based collaborative model..2012..Proc. IEEE Conf. on Computer Vision and Pattern Recognition..1838--1845..DOI:10.1109/CVPR.2012.6247882http://doi.org/10.1109/CVPR.2012.6247882..

Views

Downloads

CSCD

Alert me when the article has been cited

Submit

Tools

Publicity Resources

FAAD: an unsupervised fast and accurate anomaly detection method for a multi-dimensional sequence over data stream

Botnet detection techniques: review, future trends, and issues

Related Author

Bin LI

Yi-jie WANG

Dong-sheng YANG

Yong-mou LI

Xing-kong MA

Ahmad KARIM

Rosli Bin SALLEH

Muhammad SHIRAZ

Related Institution

Science and Technology on Parallel and Distributed Processing Laboratory, College of Computer, National University of Defense Technology

Block Chain Research Institute of LianLian Pay

Faculty of Computer Science and Information Technology, University of Malaya

Department of Computer Science, University of Bradford

Address：Zhejiang University Press, 148 Tianmushan Road, Hangzhou, China Postal code：310028
Tel：+86-571-88273162 Email：fitee@zju.edu.cn
It is recommended to read the content of this site in Chrome&IE9+. Please switch to extreme mode in browser 360.
Cookies We use cookies to help provide and enhance our service and tailor content. By continuing, you agree to the use of cookies.

⁰